I have a pretty simple setup. I''ve got a linux nat box, with some
internal hosts. I''ve also got some servers in a dmz. It looks
something like this:
Internet
|
(external network)
| |
| |
linux dmz
nat hosts
|
|
(office network)
|
|
office
hosts
I''d like to shape the office traffic that''s going out to the
internet,
while leaving the office traffic to the dmz alone. After all, the
network link the dmz fast. I''ve been using wondershaper, since
it''s
easy and works well, but I''m not sure how to add in an exception for
the dmz hosts.
Can I do this with tc, or is the entire interface shaped? It seems
like I might be able to create a more explicate filter, but I''m having
trouble getting it to work.
seph
On Thu, Mar 29, 2007 at 12:16:20 -0400, seph <seph@directionless.org> wrote:> > Can I do this with tc, or is the entire interface shaped? It seems > like I might be able to create a more explicate filter, but I''m having > trouble getting it to work.You can filter on the destination ip address.
Bruno Wolff III <bruno@wolff.to> writes:>> Can I do this with tc, or is the entire interface shaped? It seems >> like I might be able to create a more explicate filter, but I''m having >> trouble getting it to work. > > You can filter on the destination ip address.Yes, I''d found that. And I can successfully right filters that match my dmz, and send things into the bulk bucket (1:30 in wondershaper), but I can''t figure out how to not get them limited. I think I need to use a filter to send them to the root, or to a non-existent class. But I tried both of those, and neither seemed to work. Presumably something in the rest of my filter line is wrong, but I haven''t found much in the docs. I''ve been playing around with something like: tc filter add dev eth0 parent 1: protocol all prio 1 u32 \ match ip dst 1.2.3.4/32 flowid 1:1 for various flowids, and haven''t found anything that works. seph
On Fri, Mar 30, 2007 at 10:10:57 -0400, seph <seph@directionless.org> wrote:> Bruno Wolff III <bruno@wolff.to> writes: > > >> Can I do this with tc, or is the entire interface shaped? It seems > >> like I might be able to create a more explicate filter, but I''m having > >> trouble getting it to work. > > > > You can filter on the destination ip address. > > Yes, I''d found that. And I can successfully right filters that match > my dmz, and send things into the bulk bucket (1:30 in wondershaper), > but I can''t figure out how to not get them limited.That doesn''t sound right. I haven''t looked at the commands generated by word shaper, but it seems like you should have a new bucket for your unlimited traffic. ''bulk'' suggests a bucket that has low priority, not no limit. You might have to filter the traffic a level higher. If the qdisc you are filtering already has some total limit, making a new class below it, won''t escape that.> I think I need to use a filter to send them to the root, or to a > non-existent class. But I tried both of those, and neither seemed to > work.I don''t believe you can do that.
seph wrote:> Bruno Wolff III <bruno@wolff.to> writes: > >>> Can I do this with tc, or is the entire interface shaped? It seems >>> like I might be able to create a more explicate filter, but I''m having >>> trouble getting it to work. >> You can filter on the destination ip address. > > Yes, I''d found that. And I can successfully right filters that match > my dmz, and send things into the bulk bucket (1:30 in wondershaper), > but I can''t figure out how to not get them limited. > > I think I need to use a filter to send them to the root, or to a > non-existent class. But I tried both of those, and neither seemed to > work. > > Presumably something in the rest of my filter line is wrong, but I > haven''t found much in the docs. I''ve been playing around with > something like: > > tc filter add dev eth0 parent 1: protocol all prio 1 u32 \ > match ip dst 1.2.3.4/32 flowid 1:1 > > for various flowids, and haven''t found anything that works.Which wondershaper - From memory htb one is flawed in two ways - The rates add up to more that parents rate. It uses htb default (OK the example is on ppp so it doesn''t matter if you shape on ppp) but if you have it on eth it is not nice as arp will end up there. Try changing default 30 to default 0 (or just don''t specify default) either way htb will then let unclassified traffic through unshaped. You will need a new filter with highest prio to catch unclassified IP traffic something like - ...... protocol ip prio 99 u32 match u32 0 0 flowid 1:30 I would also change all to ip in your filter that classifies the traffic to be exempted to a nonexisting flowid. There may well be a more elegant way to do the filtering, but that should work. Andy.